The Anti-Spam Law isn’t just about spam – let’s install some computer programs

Oh sure, we’ve written about how stupid CASL (Canada’s Anti-Spam Law) is around here many times. Basically because it’s stupid. But we’ve always focused on the actual spam parts of the law. However coming very soon, another part of the law is going to come into effect. And finally, last week the CRTC provided some guidelines on the subject. So we better take a look at this business about installing computer programs. Is it as stupid as the spam parts? We’ll see!

So a little background here. First, we must remember that CASL is the “unofficial” title of the law. The actual title doesn’t even mention spam. Here, read this if you can:

An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act

Yeah I don’t understand it either. So on January 15, 2015, section 8 of CASL will come into force. It mentions spam (sort of) but it’s not about spam. It’s about installing computer programs. Let’s read the important part of it together, shall we:

8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); (…)

So this provision is generally thought to target annoying programs like adware and malware. That’s a good thing! My PC is probably loaded with that crap right now. But like with section 6 of CASL (the spam part) the approach taken is kind of on the broad side. In the same way section 6 talked about “Commercial Electronic Messages” (CEMs) instead of “spam”, this provision talks about “computer programs” instead of “annoying fucking computer programs that redirect Firefox to Russian bride sites when all I want to do is get to RedTube”.

Just so we all understand what section 8 means, it means that a person or business cannot install, or “cause to be installed” a computer program without the express consent of the owner / user of the “computer system”. What is a “computer program” and a “computer system”? Let’s check the definitions section of CASL:

“computer program” has the same meaning as in subsection 342.1(2) of the Criminal Code.
“computer system” has the same meaning as in subsection 342.1(2) of the Criminal Code.

Oh fuck me. Do some work FFS you lazy drafters. OK, to the Criminal Code!

“computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

“computer system” means a device that, or a group of interconnected or related devices one or more of which,
(a) contains computer programs or other data, and
(b) pursuant to computer programs,
(i) performs logic and control, and
(ii) may perform any other function;

OK well that was pretty useless and circular. Let’s just say that computer programs and computer systems are what you think they are. Now let’s go back to CASL’s Section 8. Maybe the CRTC guidelines have clarified the broad outlines?

The short answer is yes; the CRTC has done a semi-decent job here. First, they start off with this handy piece of advice:

When does CASL apply to the installation of computer programs?
First off, don’t panic.

I am not joking, they actually wrote this. Despite the fact they are stealing from the Hitchhiker’s Guide to the Galaxy, I still think that’s good advice here. They go on:

CASL does not apply to owners or authorized users installing software on their own computer systems (e.g., personal devices such as computers, mobile devices or tablets).

See, that’s good. You can install software (so, computer programs?) on your own systems without fear of violating the law. Phew. And nice they clarified that computer systems include devices and tablets. They go on to clarify:

CASL only applies when you install or cause the installation of software on another person’s device in the course of commercial activity.

My emphasis as usual. Basically do what you want on your own computer, it’s others that are the issue here. The CRTC really wants to make this clear, dammit:

For example, the owner of a mobile device goes to an app store to purchase and download an app. As the owner is installing the app on their own personal device, CASL does not apply.

So 99% of you won’t really have to worry about it. Now, if you are one of the 1% and would like to install computer programs on someone else’s system, you need consent. What kind of consent? Express consent. A proper request for express consent has essentially the same requirements as for express consent for CEMs. You have to tell them what you want consent for, who you are, how to contact you by snail mail and electronically, and a statement that the person can withdraw their consent any time. Now, they do add a requirement that the consent request must include a “description in general terms of the functions and purpose of the computer program to be installed”, which seems reasonable.

But wait, there’s more! If the computer program will perform what I will call “exceptional functions”, you have to tell them that too. These exceptional functions include collecting personal information, changing user settings or preferences, and some other things I won’t list here because I can see you’re bored already.

Jeez Allen, I’m bored. Also, this is an internet law blog get to the internet stuff already

Boy you people are sensitive. OK, OK, I agree. Really, what is a computer program? I run a website, and I use cookies because I am evil. Cookies are computer code. Are they a program? IMHO they would certainly fulfill the Criminal Code definition above. There is a shitload of other things that may get installed when you visit a website, that could also be a program. Are the website owners allowed to install them without consent? Maybe! Here:

If your program is included in the following list, you do not need to request consent prior to the installation:

Cookies

HTML

Javascript

An operating system

Any other program that is executable through another program that was already consented to (…)

I cannot tell you how important those first three are for the internet world. Thank goodness. Now, probably the CRTC has just robbed me of a bunch of legal fees I may have earned giving advice to website owners, but I can exchange some fees for the good of the internet. I’m like a commie that way. Oh wait, there’s an exception:

Note that you are only considered to have consent for these types of computer programs as long as the person’s conduct indicates that they consent to it. For example, if the person disables Javascript in their browser, you would not be considered to have consent under CASL since their conduct would not indicate that they consent to that type of program. Similarly, if the person disables cookies in their browser, you would not be considered to have consent to install cookies.

Maybe I can squeeze some fees out of that.

Now, back at the top of the CRTC guidelines, it says this:

For example, under CASL, it is prohibited for a website to automatically install software on a visitor’s computer without getting consent

So what I am getting is that website operators cannot install programs, unless they are cookies, HTML or JavaScript (btw CRTC, JavaScript has an upper case “S”, you should fix that). So for all you programmers out there, make sure you use the right languages! Actually it’s interesting (to me at least) that the actual CASL law says the following, in section 10, where the list above comes from:

10. (8) A person is considered to expressly consent to the installation of a computer program if
(a) the program is
(i) a cookie,
(ii) HTML code,
(iii) Java Scripts,(…)

Don’t get me started on “Java Scripts”. Anyway, so technically, the consent is still actually needed, but it is ascribed to the user. So it’s not really “express” now, is it? This is kind of confusing. Maybe I will make some fees after all!

Allen is there anything else I should know about installing computer programs and the CRTC guidelines?

Yes! The provisions specify that it only applies to computer systems in Canada. Or to people in Canada who are doing the illegal installing. Or people from elsewhere who happen to be in Canada and doing illegal installing. Travelers – brush up!

Also, and this is actually important so pay attention, the provisions apply to upgrades and updates. So you need express consent to install upgrades and updates (again, only if you are not the person who is installing on your own computer or device). Where this gets kind of important (confusing?) is this paragraph:

For example, if a person installs an app from an app store on their own device, CASL would not apply. As a result, their consent for future updates may not have been requested by the app developer. If the software developer wishes to install an update to the app at a later date, they must obtain the person’s consent to do so.

So you chose to download Candy Crush onto your iPad, it’s cool CASL doesn’t apply. But as soon as the insidious Candy Crush people want you to have Candy Crush 2.0, they need your consent. But if you don’t have auto-updates and have to touch “install”? I guess that would be cool, because you’ve installed it yourself. Don’t panic.

Also, there is a transitional period which will at least alleviate this upgrade / update issue for a while:

Under CASL, if a computer program was installed on a person’s computer system before January 15, 2015, the person’s consent to the installation of an upgrade or update is implied until January 15, 2018

So Allen is this all good or bad? Compared to the spam stuff?

Well it’s way better than the spam stuff, that’s for sure. It doesn’t impose outrageous requirements like for CEMs, and it seems more reasonable to me to attempt to control when 3rd parties are installing stuff on my computers and devices without my consent. I want that Russian bride malware (not to mention the Ask.com toolbar) gone already. I do think some of the update stuff is stupid and poorly thought out. And of course, the whole approach of tackling a small nail that is a targeted problem (malware and generally unwanted computer programs) with a giant comedically-oversized mallet is typical government stupidity. Also, as Barry Sookman smartly points out, the CRTC has some pretty dodgy interpretations of “caused to be installed” which are problematic. But even Barry said this about the guidelines:

The CRTC guideline has some pleasant surprises in it. The interpretation of the program provisions attempts to reach pragmatic solutions to complex problems created by CASL.

He does go on to point out some other problems. But really, compared to the spam / CEM provisions, section 8 and its related provisions, in combination with the CRTC’s interpretations from the guidelines, are a delight.

About Me

Allen Mendelsohn is me. I am a lawyer specializing in internet law working out of Montreal, though sometimes I do it in front of the U.S. Capitol. That should tell you what you need to know about internet law in Canada. I also warp young legal minds at the Faculty of Law at McGill.